aspose file tools*
The moose likes Web Services and the fly likes WebService Security authentication probelm Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WebService Security authentication probelm" Watch "WebService Security authentication probelm" New topic
Author

WebService Security authentication probelm

sreedhar sri
Greenhorn

Joined: Sep 05, 2012
Posts: 9
Hi,

We have got a webservice with the following security policy from the client.

<wsp:Policy orawsp:provides="{http://docs.oasis-open.org/ns/opencsa/sca/200903}authentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication.message, {http://schemas.oracle.com/ws/2006/01/policy}token.usernamePassword" wsu:Id="wss_username_token_service_policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlnsrawsp="http://schemas.oracle.com/ws/2006/01/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>

We generated client classes using the Java JAX-WS tool from the wsdl(used the wsimport command).Afer that used the SecurityHandler class( attached the file) which incorporates the securtiy information in the handleMessage() method.

This is the standalone Test class(contains binding information and calling the webservice method).

public class SellerServiceTest {
public static void main(String args[]) throws Exception{
final Binding binding = ((BindingProvider) port).getBinding();
List<Handler> handlerList = binding.getHandlerChain();
if (handlerList == null)
handlerList = new ArrayList<Handler>();
handlerList.add(new SecurityHandler(userName,passWord));
binding.setHandlerChain(handlerList);

Service service = new Service();
Port port = service.getPort();
SaleResponseType saleResponseType = port.sale(saleRequestType);
}
}

The following class is the SecurityHandler code.

import java.util.Set;

import javax.xml.namespace.QName;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPHeader;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;
import javax.xml.ws.handler.soap.SOAPMessageContext;

public class SecurityHandler implements SOAPHandler<SOAPMessageContext>{

private String user;
private String password;

public SecurityHandler(String user, String password) {
this.setUser(user);
this.setPassword(password);
}


@Override
public boolean handleMessage(final SOAPMessageContext msgCtx) {

// Indicatodor de direccion del mensaje
final Boolean outInd = (Boolean) msgCtx.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

// Solo mensajes de seguridad a encabezados outbound
if (outInd.booleanValue()) {
try {
// Envoltorio SOAP
final SOAPEnvelope envelope = msgCtx.getMessage().getSOAPPart().getEnvelope();

// Encabezado SOAP, puede no estar creado
SOAPHeader header = envelope.getHeader();
if (header == null)
header = envelope.addHeader();

//Agrego seguridad wsse
final SOAPElement security = header.addChildElement("Security", "wsse",

"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
final SOAPElement userToken = security.addChildElement("UsernameToken", "wsse");
userToken.addChildElement("Username",
"wsse").addTextNode(getUser());
userToken.addChildElement("Password",
"wsse").addTextNode(getPassword());

} catch (final Exception e) {
e.printStackTrace();
return false;
}
}
return true;
}

@Override
public void close(MessageContext arg0) {
// TODO Auto-generated method stub

}

@Override
public boolean handleFault(SOAPMessageContext arg0) {
// TODO Auto-generated method stub
return false;
}

@Override
public Set<QName> getHeaders() {
// TODO Auto-generated method stub
return null;
}


public String getUser() {
return user;
}


public void setUser(String user) {
this.user = user;
}


public String getPassword() {
return password;
}


public void setPassword(String password) {
this.password = password;
}
}



When i called the web service method from a standlone client class ,security authentication is done and got the webservice response.
But when accessing the webservice from the application deployed from JBoss7.1.0,Security Handler's handleMessage() method is not invoked due to this i am getting the excetion as

org.apache.cxf.ws.policy.PolicyException: No username available
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.policyNotAsserted(UsernameTokenInterceptor.java:398)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addUsernameToken(UsernameTokenInterceptor.java:341)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addUsernameToken(UsernameTokenInterceptor.java:267)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:112)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:76)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
00:05:21,350 ERROR [stderr] (http--192.168.172.142-8080-1) Caused by: org.apache.cxf.ws.policy.PolicyException: No username available


Please let me know where is the issue?


Thanks in advance,
Sridhar
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42950
    
  70
Does the setUser method ever get called in that scenario? If so, is its parameter correct?
sreedhar sri
Greenhorn

Joined: Sep 05, 2012
Posts: 9
Yes the passed parameters are correct. From standalone java class the service method is invoked and authentication is done.The problem is when calling this webservice method from webapplication (deployed in Jboss Server), the handleMessage() method not invoked in the SecurityHandler.

Please let me know any thing is wrong.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42950
    
  70
Yes the passed parameters are correct.

Sorry to be pedantic, but I can't tell from your reply whether you have made sure that the setUser method is called with the correct value for the user? How have you made sure of that?
sreedhar sri
Greenhorn

Joined: Sep 05, 2012
Posts: 9
Yes the setUser method is called with the correct value for the user. I put log message in setter method, it is invoked and setting the correct user value.The constructor is invoked in SecurityHandler class. But handleMessage() is not invoking? What is the problem ?
Meghana Reddy
Ranch Hand

Joined: Jan 29, 2002
Posts: 76
How are you invoking the setUser() method? meaning, at what point in your flow are you instantiating the handler and invoking the setUser() method?

Because, in a typical scenario, handler will not have any setter methods, the framework is supposed to invoke those specific methods.

Try hard coding the user value and see what happens.


Meghana Reddy
sreedhar sri
Greenhorn

Joined: Sep 05, 2012
Posts: 9
Hi,

Am invoking the SecurityHandler in the following way.

handlerList.add(new SecurityHandler(userName,passWord));

The constructor is invoked and the setter is called at that time and print the setting value in server log.

If i hard coded the username, password instead of in constructor then it is not setting the value. Because the main problem is handleMessage() is not invoked in the SecurityHandler class.

But the same handleMessage() is invoked in standalone java class.

Please let me know any thing is wrong.


Thanks,
Sreedhar.

Meghana Reddy
Ranch Hand

Joined: Jan 29, 2002
Posts: 76
The only reason I can think of is that the handler is somehow not attached to the Service in the server environment especially because it is working in the standalone mode.

I dont know much about JBoss, but you can check the documentation to see if there's any additional configuration of handlers needed.

Sometime ago, I remember configuring the handlers from the admin page in Websphere. There probably is a similar configuration in JBoss.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: WebService Security authentication probelm